Open CiciLi1 opened 5 months ago
@CiciLi1
Can you please check whether https://devblogs.microsoft.com/nuget/the-nuget-org-repository-signing-certificate-will-be-updated-as-soon-as-april-8th-2024/ or https://github.com/NuGet/docs.microsoft.com-nuget/commit/bb9d25cc90e2a55c3cda4ea8b79d404f855cfdcf are of any help.
@CiciLi1
Can you please check whether https://devblogs.microsoft.com/nuget/the-nuget-org-repository-signing-certificate-will-be-updated-as-soon-as-april-8th-2024/ or NuGet/docs.microsoft.com-nuget@bb9d25c are of any help.
Hi @nkolev92, I checked the link you provided, which talks about repository signed certificates, but this issue is about author signed certificates.
Thanks to your analysis, I see that Microsoft.Web.Infrastructure 1.0.0 is a package that was published in 2011, so it's expected that it doesn't have an author signature.
To me this looks like a bug has been fixed, rather than a new introduced bug. I'm not sure what the root cause for that may be.
It still reproes on VS Main\35222.175 + NuGet Client Dev\6.12.0.82.
NuGet Product Used
Visual Studio Package Management UI
Product Version
NuGet Client Dev\6.10.0.82
Worked before?
It doesn’t repro on VS Main\34426.11 + NuGet Client Dev\6.9.0.67.
Impact
It's more difficult to complete my work
Repro Steps & Context
Repro Steps:
Patch dotnet SDK: Patch dotnet SDK.
Add NuGet.exe path into System variables and create a package with command "nuget pack .csproj" for testing.
Create a project, add required mode in nuget.config file with trusted signers list:
Expected:
Verify there was no error and the package was installed in the project successfully.
Actual:
The package failed to install with error NU3034 “Package 'Microsoft.Web.Infrastructure 1.0.0.0' from source 'https://api.nuget.org/v3/index.json': This package is signed but not by a trusted signer.” as below:
Notes:
The repro rate is 100%.
It also reproes on these two test cases
536740 Client policy test: Install/Restore with trusted signers and package reposigned with trusted repository(3 types of projects:PC/PR/Legacy PR
536741 Client policy test: Install/Restore with trusted signers and package reposigned with trusted repository and with owner matching one in trusted repository entry(3 types of projects:PC/PR/Legacy PR))
(We verified the package “Microsoft.Web.Infrastructure 1.0.0.0” with the command
nuget.exe verify -all -verbosity detailed microsoft.web.infrastructure.1.0.0.nupkg
, the result shows as below)Verbose Logs
No response